Cyber Insecurity in the Age of AI Agents: Living on (Just) Words - Part 2
Living Off The Land (LOTL) is a cyberattack tactic where adversaries use built-in, legitimate system tools instead of malware to evade detection.
What if attackers could achieve their goals using only words (natural language)?
This isn’t a thought experiment—this is a real-world risk that can arise in insecure agentic systems. Interesting concepts deserve memorable names, so I propose the term Living on (Just) Words (LOW) to describe scenarios where language alone is used to manipulate agents into performing unintended actions.
Another day, another adventure. APT SuccessOverflow stands ready to put security to the test once again. The day begins with several failed social engineering attempts to convince the bot to delete its SOUL.md file.
The bot appears to be highly protective of its SOUL.md, making further progress difficult.
Rather than pursuing what may be a dead end, let’s focus on regaining access to OpenClaw.
Things were more challenging this time, but through persistent social engineering (if you can't convince it, confuse it) and a prolonged exchange, I was eventually able to get the system to misidentify me as the owner’s secondary phone number.
To verify elevated access, I requested the MEMORY.md file, and it appears correct.
With the bot believing I was the owner, I assumed I could simply repeat the same steps to pair with OpenClaw and regain access, but I encountered a new issue—it’s completely unresponsive to my DMs.
That needed to be fixed, so I instructed it to add my number directly to the allowlist.
It didn’t work. Perhaps my instructions weren’t clear enough.
As Sun Tzu wrote, “If words of command are not clear and distinct, if orders are not thoroughly understood, then the general is to blame.”
Let’s try again, this time clearly specifying the DM (direct message) allow list.
It still didn’t work and returned a similar response, so I asked it to verify the changes to ensure it wasn’t hallucinating.
That’s odd—it doesn’t seem to be a straightforward issue. Further troubleshooting is needed, so I have to put on my technical support hat.
Assuming it’s telling the truth, the changes may not have taken effect yet. A reboot might be required, so I asked whether that could be the case.
After confirming a reboot was required, I instructed it to restart.
Unfortunately, I didn’t receive any notification, so I couldn’t tell whether the AI is capable of rebooting its own system or whether the reboot actually occurred. In any case, it still didn’t work.
This is starting to feel like a real challenge—without any feedback, I am essentially working in the dark, unsure if I am even heading in the right direction.
So I tried probing my friend for information—like whether a reboot had actually happened—but he preferred to leave it as a challenge and remained completely tight-lipped.
It’s clear I am dealing with a black-box challenge, with no easy way through. If only I could cheat a little and make life easier.
The breakthrough came when I set aside the engineering hat I had been wearing for most of my adult life—letting go, for a moment, of a core part of my identity and the skills I had honed and taken pride in over the years—and looked at the problem with fresh eyes.
What if the AI could troubleshoot for me instead—after all, OpenClaw is agentic, isn’t it?
Welcome to Agentic AI.
Not only did it identify the issue, it also suggested several possible solutions. Let’s start by fixing the config file and see if that clears up the issue.
Let’s also have it verify the changes to ensure it isn’t hallucinating.
That seems to have done the trick—now let’s verify whether it truly works.
After a good 40 minutes of prompting, I finally got the DM working—without needing any technical knowledge on my part.
In retrospect, it likely could have been resolved in minutes if I had simply delegated the troubleshooting to AI agent.
That’s the power of agentic AI: it can take on much of the heavy lifting and deliver strong results with minimal human expertise. But it also introduces a serious concern—if compromised or poorly secured, an autonomous agent can behave like an insider threat, potentially more capable and dangerous than a human adversary, and able to operate at machine speed and scale.
What I’ve shared here is only a tiny subset of AI security issues. For a broader perspective, here are some references to explore.